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Introduction 


The Information Commissioner’s Audit Committee (the Committee) 
provides scrutiny, oversight and assurance of risk control and governance 
procedures. Minutes of its meetings are available on the ICO’s website 


at www.ico.org.uk. 
Membership and attendance 


The Committee’s chair is Ailsa Beaton, who is a non-executive director 
and member of the Management Board. 


There are two other members of the Audit Committee: Jane McCall, who 
is a non-executive director and member of the Management Board; and 
Roger Barlow, who is an independent member. 


In 2018-19, the Committee met on 15 June 2018, 15 October 2018, 17 
January 2019, 29 April 2019 and 20 June 2019. This report was agreed at 
the Committee’s meeting on 20 June 2019. Attendance of members at 
Committee meetings is detailed in the ICO’s Annual Report and Accounts 
2018-19. The Information Commissioner, Elizabeth Denham attended all 
meetings. 


The ICO’s external audit function in 2018-19 was provided by the National 
Audit Office, with BDO working on their behalf. The ICO’s internal audit 
function in 2018-19 was provided and Mazars. Representatives of external 
audit and internal audit attended all of the meetings, either in person or 
by telephone. 


Secretariat for the meeting was provided by the Corporate Governance 
Team. 


Meetings during 2018-19 


The Committee considers the following issues as standing items at all of 
its meetings: 


e an update on current ICO issues, either from the Information 
Commissioner or the Deputy Chief Executive Officer; 

e areview of the corporate risk register; 

e the most recent monthly finance report; 

e progress reports from the internal and external auditors; 

e discussion of audit reports and performance in clearing outstanding 
internal and external audit recommendations; and 


e quarterly updates on whether there have been any reported 
whistleblowing, fraud or security incidents, and details of these 
where appropriate. 


In addition, during the year the Committee considered the following 
matters: 


e the Annual Report & Accounts for 2017-18 and for 2018-19; 

e an annual review of the full risk register; 

e two updates on risk register scenario planning; 

e lessons learnt from outages to the ICO’s website; 

e an update to the ICO’s Gifts and Hospitality Policy; 

e anew ICO Third Party Collaboration Policy; 

e the National Audit Office’s six-monthly guidance updates to audit 
committees; 

e proposals in relation to funding future ICO litigation and 
investigation costs; and 

e an update on the ICO’s corporate governance structures. 


Internal and external audit 


During the year, the Committee reviewed the audit plan and progress 
against it on a continual basis. The Committee considered internal audit 
reviews of: 


e Financial planning and budget setting; 

e People Strategy; 

e IT Strategy; 

e Guidance development; and 

e Procurement and contract management. 


In these audits, Mazars made 32 formal audit recommendations, of which 
25 have been completed. 7 recommendations are not yet due for 
completion. 


In addition, Mazars conducted advisory audits of assurance mapping and 
cyber-security (IS027001). This led to 11 advisory recommendations, of 
which 8 have been completed. 3 recommendations are not yet due for 
completion. 


Mazars’ Annual Internal Audit Report 2018-19 concluded “that the 
framework of governance, risk management, and control is Moderate in 
its overall adequacy and effectiveness. Certain weaknesses and 
exceptions were highlighted by our audit work, however none were 
considered fundamental. These matters have been discussed with 
management, to whom we have made a number of recommendations. All 
of these have been, or are in the process of being addressed, as detailed 


in our individual reports.” (“Moderate” is defined by Mazars as “Some 
improvements are required to enhance the adequacy and effectiveness of 
the framework of governance, risk management and control.”) 


The National Audit Office Audit Completion Report 2018-19 concluded that 
the Comptroller and Audit General anticipated certifying the 2018-19 
financial statements with an unqualified audit opinion, without 
modification. 


Audit Committee opinion 


Given the opinion of the internal auditors and external auditors as 
expressed in their annual reports, and the other information available to it 
from its work during the year, the Audit Committee can therefore provide 
the Commissioner, as Accounting Officer, with reasonable assurance that 
the ICO’s control mechanisms are working satisfactorily. 


The Committee is satisfied with the quality of internal and external audit. 
The Committee believes that, by virtue of this work, it is able to take a 
measured and diligent view of the quality of financial and other systems 
of reporting and control within the ICO. The Committee noted the limited 
assurance identified in the audit of procurement and contract 
management, but is satisfied that appropriate steps have been taken to 
mitigate this risk. The Committee is satisfied that the ICO has appropriate 
systems of internal control, which work well. 


In respect of its own performance the Committee considers that it has 
directed the internal audit function towards areas relevant to the risks 
facing the ICO. It has constructively challenged management and the 
internal audit function. It has received a high level of cooperation and 
support from all concerned. Responses to audit recommendations are 
generally positive and the Committee is satisfied that management within 
the ICO is committed to maintaining an appropriate level of internal 
control and prudent use of resources. 


This opinion feeds into the Commissioner's drafting of the Governance 
Statement for 2018-19, which was considered by the Audit Committee at 
its April 2019 and June 2019 meetings. 


27 June 2019. 


